It's Time for A New Approach to Training Cybersecurity Practitioners
When it comes to staffing cybersecurity teams, it's not hyperbole to say that many businesses are in dire straits. A recent estimate from ISC^2 found, for example, suggests that there is a global shortfall of 2.9 million cybersecurity professionals. Data from ISACA found that it can take upwards of 6 months for many organizations to fill important cybersecurity positions — assuming of course, that the organization is able to fill them at all.
This scarcity of a reliable skill base can sometimes cause hiring managers to overlook things in candidates that would be patently unacceptable if it were a "buyer's market" where employees were competing heavily for positions. For example, many candidates in the job market are fundamentally underprepared or unequipped to hit the ground running in a cybersecurity operations team. Why? In some cases, they're missing critical technical skills. In other cases they're missing softer skills that allow them to work well with business partners or other areas of the organization. Sometimes, they have all the right skills but don't have the right mindset.
As an example of what I mean for technical skills, one recent experience that springs to mind involved working with a recent graduate from a large university's program. While working together, he asked for help using a feature in Linux he told me he didn't understand. After some back and forth trying to figure out which feature specifically he was asking about, I eventually came to realize that he was asking about the command shell. As in, he hadn't used one. In this case, part of the job we needed him to do involved aspects of system administration (e.g. installing and running tools, keeping the device patched, writing simple scripts, etc.) Business skills are equally important though. For example, I've worked side-by-side with recent entrants to the security job market who've been too timid to ask executives hard questions, who don't understand (and are unwilling to learn) what the business actually does, etc. Thus, they think about security in a vacuum, and not in the context of how it enables business goals.
The point is, such a dire shortage of skills in the cybersecurity profession can hide a host of sins. For example, how does an organization know that they are getting a qualified, useful, "job ready" candidate? There are certifications and degree programs of course, but it's more about skills than acquiring knowledge (for the same reason that I'll never have Ty Cobb's batting average no matter how much I study the rules of baseball).
There are also individuals out there that just won't ever be a "rock star" security practitioner because of the way they view the world. A "security mindset" involves looking instinctively for ways to "game the system", circumvent controls, or obtain unexpected consequences through purposeful misuse. If someone doesn't do that innately, it's hard to teach that. They might make a passable resource, but they'll probably never excel.
At Prelude, our core belief is that aspects of what gives a resource a "security mindset" can be tested for, even among populations that aren't already in the security workforce. A stay-at-home parent, taxi driver, or hair stylist might have exactly the right way of looking at the world, the right frame of mind, and the right curiosity to make them a stellar cybersecurity practitioner. They might derive more job satisfaction, better compensation, and better quality of life if they could somehow break into the profession.
We also believe that working with employers to determine what skills they need, what tools they use, and the critical characteristics of a candidate allows us to build educational experiences tailored to them. This results in highly qualified candidates — even more qualified for the role that organization is looking to fill than most candidates already in the professional job market.
Our goal is to work with employers to determine a new, always up-to-date criteria-set that defines what "excellent" looks like, and help produce practitioners for them in less time, for less money. Focusing on helping to transform people with a "security mindset" into excellent employees will help reduce the current massive skills gap, and transform many individual lives. Transforming these lives at scale is how we can start to attack the massive issue of inequality in the US. It's important to get this right — not just for companies and individuals, but for the safety of our global economic system.